I am not very familar with GPG and so maybe just confused. But the README says.

Pick defaults for encryption settings, 0 expiration. Pick a VERY GOOD passphrase. Store
the private key securely. Tip: Store it on a secure machine, or one with little or no internet
access, with full-disk-encryption, etc. Your employer problably has rules about how to
store such things.
In https://github.com/StackExchange/blackbox#how-to-indoctrinate-a-new-user-into-the-system

Yet if i create a keypair on secure storage. Lets say an encrypted OSX disk image. I can't use those keys with blackbox unless I import both the public and private keys into my home directory keybook.

Short version:
When I wrote "Tip: Store it on a secure machine, or one with little or no internet
access, with full-disk-encryption, etc" I was thinking about where you keep backups of your keys. You might want to put them on a USB key in a safe (no internet access).

For daily use... that's another thing...

If you do a google search for "how to store gpg keys" you'll find a lot of advice, some of it conflicting. Here's my general rule:

"If a key protects X, it has to be stored someplace as or more secure as X."

For example if you are using blackbox on a repo used with a Puppet Master, then you can only decrypt the keys on machines that are as secure as the Puppet master. This rule goes for the private keys too.

You then designate certain machines to be maintained as securely as the puppet master.

A more flexible rule is to set up a list of criteria for machines with decrypted secrets. For example, it might have to be hardware owned by the company (no personal laptops), disk encryption, and various other settings.

I have 2 laptops: one owned by work and the other is personal. We have a company rule that says corporate secrets can only be on work-owned hardware. Therefore I don't import my private key on my personal laptop. My work-owned laptop has disk encrypted enabled and a number of other security rules are followed. My personal laptop can "git clone" the repo, but I can't decrypt the secrets. (surprisingly I'm able to get a lot of work done on my personal laptop).

At a previous employer the rule was similar but they included (non-open source) source code as "secret". Thus, you basically couldn't use a personal laptop for anything work-related. The company would gladly buy you a 2nd laptop if you were traveling. They had different rules for "high value information"... that kind of info couldn't even be on a laptop or any machine that left the building.

Security isn't "on or off"... it is about risk and risk management. Decide what risk you are willing to accept.

Tom

@tlimoncelli thank you. That is not a "short" answer and so thank you for taking the time for a very informed reply.